Certification report patch 3407

Author: Elisabetta Molinari elisabetta.molinari@mi.infn.it

Outcome: Certified

Automatic tests

  • tests on voms core were run automatically as a result of a build in etics, see here
  • voms-admin automatic testing---> run the voms-cli tests from the testsuite here, after adjustying the error messages to the new ones:
    • here's a result of the command './myCheck-VOMS -n voms-rd02-21.cnaf.infn.it -l test-sequence.lst.voms-admin'
      Test VOMS-addMember   - OK
      Test VOMS-assignRole   - OK
      Test VOMS-crAttribute   - OK
      Test VOMS-crGroup   - OK
      Test VOMS-crRole   - OK
      Test VOMS-crUser   - OK
      Test VOMS-crUserNocert   - OK
      Test VOMS-delAttribute   - OK
      Test VOMS-delGroup   - OK
      Test VOMS-delGroupAttribute   - OK
      Test VOMS-delRole   - OK
      Test VOMS-delRoleAttribute   - OK
      Test VOMS-delUser   - OK
      Test VOMS-delUserAttribute   - OK
      Test VOMS-dismissRole   - OK
      Test VOMS-listAttributes   - OK
      Test VOMS-listGroupAttributes   - OK
      Test VOMS-listGroups   - OK
      Test VOMS-listMembers   - OK
      Test VOMS-listRoleAttributes   - OK
      Test VOMS-listRoles   - OK
      Test VOMS-listSubGroups   - OK
      Test VOMS-listUserAttributes   - OK
      Test VOMS-listUserGroups   - OK
      Test VOMS-listUserRoles   - OK
      Test VOMS-listUsers   - OK
      Test VOMS-listUsrWithRol   - OK
      Test VOMS-removeMember   - OK
      Test VOMS-setGroupAttribute   - OK
      Test VOMS-setRoleAttribute   - OK
      
      here's the full result report
  • voms-core automatic testing, run the voms-core tests from the testsuite here:
    • here's a result of the command './myCheck-VOMS -n voms-rd02-21.cnaf.infn.it -l test-sequence.lst.voms-core':
      Test VOMS-pr-attr   - OK
      Test VOMS-pr-bits   - OK
      Test VOMS-pr-cert   - OK
      Test VOMS-pr-conf   - OK
      Test VOMS-pr-dbg   - OK
      Test VOMS-pr-genattr   - OK
      Test VOMS-pr-hlp   - OK
      Test VOMS-pr-hours   - OK
      Test VOMS-pr-ign   - OK
      Test VOMS-pr-key   - OK
      Test VOMS-pr-limit   - OK
      Test VOMS-pr-list   - OK
      Test VOMS-pr-noreg   - OK
      Test VOMS-pr-order   - OK
      Test VOMS-pr-out   - OK
      Test VOMS-pr-pver   - OK
      Test VOMS-pr-pwst   - OK
      Test VOMS-pr-quiet   - OK
      Test VOMS-pr-RoleOrder   - OK
      Test VOMS-pr-usg   - OK
      Test VOMS-pr-valid   - OK
      Test VOMS-pr-verify   - OK
      Test VOMS-pr-vers   - OK
      Test VOMS-pr-vlf   - OK
      Test VOMS-pr-vomses   - OK
      Test VOMS-pr-warn   - OK
      here's the full result report

Clean installation

  • installation steps:
     wget http://etics-repository.cern.ch:8080/repository/pm/volatile/repomd/id/fa01c264-37cc-4539-a3b3-da59486a13dd/sl5_x86_64_gcc412/etics-volatile-build-by-id.repo
    yum install glite-VOMS_mysql
    yum install lcg-CA
    here's the yum install log
here's the updated yum install log
  • configuration steps:
    copy siteinfo.def and services/glite-voms_mysql from '/opt/glite/yaim/examples/siteinfo' into your favourite dir. Rename glite-voms_mysql as glite-voms
    Set yaim variables as specified here https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables
    Launch  '/opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS'
    
  • yaim configuration log
  • yaim configuration files used:
    cat ~/siteinfo/site-info.def
    # Uncomment this variable if you are installing a mysql server
    # It is the MySQL admin password. 
    MYSQL_PASSWORD="admin"
    
    
    # Human-readable name of your site
    SITE_NAME=voms-sa3-italia
    
    ##############################
    # VO configuration variables #
    ##############################
    # If you are configuring a DNS-like VO, please check
    # the following URL: https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400#vo_d_directory
    
    # Space separated list of VOs supported by your site
    VOS="sa3test vomstest"
    -----------------------------------------------------------------
    
    cat ~/siteinfo/services/glite-voms
    # VOMS server hostname
    VOMS_HOST=localhost
    
    # Hostname of the database server. Put 'localhost'
    # if you run the database on the same machine.
    # This parameter can be specified per VO in the following way:
    # VO_<vo_name>_VOMS_ADMIN_DB_HOST
    VOMS_ADMIN_DB_HOST='localhost'
    
    VO_SA3TEST_VOMS_DB_HOST="voms-rd02-21.cnaf.infn.it"
    VO_SA3TEST_VOMS_DB_TYPE="mysql"
    VO_SA3TEST_VOMS_DB_USER="sa3test_user"
    VO_SA3TEST_VOMS_DB_PASS="pwd"
    VO_SA3TEST_VOMS_DB_NAME="db_sa3test"
    VO_SA3TEST_VOMS_PORT="15001"
    
    VO_VOMSTEST_VOMS_DB_HOST="voms-rd02-21.cnaf.infn.it"
    VO_VOMSTEST_VOMS_DB_TYPE="mysql"
    VO_VOMSTEST_VOMS_DB_USER="vomstest_user"
    VO_VOMSTEST_VOMS_DB_PASS="pwd1"
    VO_VOMSTEST_VOMS_DB_NAME="db_vomstest"
    VO_VOMSTEST_VOMS_PORT="15002"
    
    VOMS_ADMIN_SMTP_HOST="localhost"
    VOMS_ADMIN_MAIL="elisabetta.molinari@mi.infn.it"
    VOMS_DB_DEPLOY="true"
    -----------------------------------------------
    

Upgrade from production

  • Since this is the first release of VOMS for SL5, only the upgrade of the mysql backend has been tested. Following the basic steps of a sample upgrade:
    - dump the old database  on the old VOMS server and transfer the file to the new node: mysqldump -h <OLD_HOSTNAME> -u <USER> -p --databases <DB_NAME> > <DUMP_FILE>
    - mysql -u root -p < dbsa3test; mysql -u root -p < dbvomstest;
    - grant all on *.* to 'root'@'voms-rd02-21.cnaf.infn.it' identified by 'admin';
    - grant all on db_sa3test.* to 'sa3test_user'@'voms-rd02-21.cnaf.infn.it' identified by 'admin';
    - grant all on db_sa3test.* to 'sa3test_user'@'localhost' identified by 'admin';
    - grant all on db_vomstest.* to 'vomstest_user'@'voms-rd02-21.cnaf.infn.it' identified by 'admin';
    - grant all on db_vomstest.* to 'vomstest_user'@'localhost' identified by 'admin';
    - synchronize yaim conf files from the old machine with the new one, i.e. make sure username and password for the VO databases are the same 
    - launch yaim configuration after setting yaim variable  VOMS_DB_DEPLOY to 'false' in the siteinfo.def or the services/glite-voms file
    - re-start tomcat
    - launch upgrade VO, for each VO as in the following: /opt/glite/sbin/voms-admin-configure upgrade --vo=sa3test
    - re-start voms server and voms-admin
    - register the VOMS host identity as a default admin  -->/opt/glite/sbin/voms-db-deploy.py add-admin --vo sa3test --cert /etc/grid-security/hostcert.pem
here's an upgrade log

Check Bugs:

Voms Admin 2.5-cli

  • BUG #38150: "Extend member status in voms-admin" FIXED
    • checked that active and suspend status are present in the voms-admin webapp.
  • BUG #38151: "Implement member institutional expiration in voms-admin" FIXED
  • BUG #43127: "implement in voms-admin VO membership expiration bound to AUP version" FIXED
  • BUG #43129: "implement in voms-admin an authorisation-aware web UI" FIXED
  • BUG #43130: "multiple certificate support" FIXED
  • BUG #43189: "allow user to request his/her inclusion in a Group/Role in voms-admin" FIXED
  • BUG #43264: "voms-admin to keep user Registration Data in the VOMS database" FIXED
  • BUG #60328: "remove-certificate does not work" FIXED
    • tried with a non-existent pair DN/CA as in the following:
       voms-admin --vo sa3test --nousercert remove-certificate '/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Elisabet' '/C=IT/O=INFN/CN=INFN'
      org.glite.security.voms.admin.database.NoSuchCertificateException: No certificate found matching subject '/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Elisabet, /C=IT/O=INFN/CN=INFN'.
  • BUG #60329: "Not possible to restore a certificate from the command line" FIXED
    • launch
      voms-admin --vo sa3test suspend-certificate .globus/usercert.pem 'security incident'
    • launch
      voms-admin --vo sa3test restore-certificate .globus/usercert.pem
  • BUG #60337: "Locks held on access denied when processing membership requests" FIXED
    • Actually this, and all the other bugs regarding locks not being well manages, were due to an improper management of the hibernate session when exceptions were raised. This is fixed in the code now.
  • BUG #60483: "Unhandled exception when deleting groups containing subgroups & locks held" FIXED
    • create a group as for ex:
      voms-admin --vo sa3test create-group testgroup
    • create a subgroup as for ex:
      voms-admin --vo sa3test create-group testgroup/testsubgroup
    • try to delete the parent group 'testgroup' from the webadmin
    • no exception is returned but an error message as the following: "The group testgroup cannot be deleted since it contains subgroups"
  • BUG #51657: "delete-user does not treat Email= and emailAddress= as equivalent" FIXED
    • given the following usercert:
      openssl x509 -in cas/ca2/certs/08.pem -text -noout | more
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 8 (0x8)
              Signature Algorithm: sha1WithRSAEncryption
              Issuer: DC=CH, DC=CERN, OU=EMAILCA, CN=emailca.cern.ch/emailAddress=emailca@cern.ch
              Validity
                  Not Before: Mar  8 20:32:58 2010 GMT
                  Not After : Mar  8 20:32:58 2011 GMT
              Subject: DC=CH, DC=CERN, OU=EMAILCA, CN=Test user 3/emailAddress=test_user_3@emailca.cern.ch
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
    • created a new user from the voms cli as in the following:
      voms-admin --vo sa3test create-user cas/ca2/certs/08.pem
       voms-admin --vo sa3test list-users
      ..........
      /DC=CH/DC=CERN/OU=EMAILCA/CN=Test user 3/Email=test_user_3@emailca.cern.ch, /DC=CH/DC=CERN/OU=EMAILCA/CN=emailca.cern.ch/Email=emailca@cern.ch - test_user_3@emailca.cern.ch
    • tried to delete the user:
       voms-admin --vo sa3test delete-user cas/ca2/certs/08.pem
      org.glite.security.voms.admin.persistence.error.NoSuchUserException: User '/DC=CH/DC=CERN/OU=EMAILCA/CN=Test user 3/Email=test_user_3@emailca.cern.ch,/DC=CH/DC=CERN/OU=EMAILCA/CN=emailca.cern.ch/emailAddress=emailca@cern.ch' not found in org.glite.security.voms.admin.persistence.error!
      voms-rd02-21
  • BUG #54613: "voms-admin-configure ignores --dbhost option when configuring mysql VO" FIXED
    • launched the following:
      voms-admin-configure install --vo adminDeploy --createdb --deploy-database --dbtype mysql --dbhost cert-10.cnaf.infn.it --port 15002 --dbusername 'admin_Deploy' --dbpassword 'pwd' --mail-from elisabetta.molinari@mi.infn.it --verbose --smtp-host smtp.cnaf.infn.it --dbapwd 'admin'
  • BUG #54614: "voms-admin-configure should not try to create an administrator if the --skip-database option is set" FIXED
  • BUG #56065: "voms-admin email notification behaviour should be configurable" FIXED
  • BUG #58656: "Unique GAs handling exception" FIXED
  • BUG #60517: "Unhandled exception when adding ACL entry" FIXED
    • add a new ACL entry for a non VO member
    • add another ACL entry for a non VO member setting the same subject as for the member above and a different CA
    • the following error message is returned:
      An administrator with the given subject already exists. Choose a different subject!
      Certificate subject: 
  • BUG #60600: "Problems with groups and roles having special characters in the name" FIXED
    • It does not allow to create group and roles with special characters in the name
  • BUG #60604: "Error adding a default ACL for a group" FIXED
  • BUG #61292: "VOMS Admin 2.0.7 Client fails with some (non-ASCII?) characters" FIXED
  • BUG #59918: "NullPointerException during group creation with slash in the name" FIXED
  • BUG #59919: "No warning when creating a group in a read-only context" FIXED
    • set the user to read only under '/sa3test/test'
    • tried to create a group under '/sa3test/test' and the following is returned:
      Insufficient privileges to execute 'CreateGroupOperation'.
  • BUG #59933: "Problem removing config backup" FIXED
  • BUG #59985: "'ALL' permission resolution" FIXED
    • set an ACL permission for a member to ALL
    • check in the voms admin webadmin the field for 'suspend' is set to yes
  • BUG #60256: "Unhandled 'UserAlreadyExists' Exception" FIXED
  • BUG #60264: "Uncought 'IllegalArgumentException' on request confirm" FIXED
    • tried to click on the confirmation link twice
  • BUG #60265: "Other VOs list not complete" FIXED
  • BUG #60296: "Database session problems when wrong request confirmation parameters are submitted" FIXED
    • Actually this, and all the other bugs regarding locks not being well manages, were due to an improper management of the hibernate session when exceptions were raised. This is fixed in the code now.
  • BUG #60308: "It is not possible to remove an AUP which has acceptance records" FIXED
  • BUG #60313: "Trigger reacceptance work only for the predefined AUP" FIXED
    • defined a new AUP with a new version
    • triggered re-acceptance to the existing members
  • BUG #60314: "Links in user AUP acceptance history displaying same AUP" FIXED

Voms core

  • see tests performed for patch #3142

-- ElisabettaMolinari - 2010-02-17

Topic attachments
I Attachment Action Size Date Who Comment
Unknown file formatgz full_result.html.gz manage 2.2 K 2010-03-18 - 08:36 UnknownUser full result voms admin report
Unknown file formatgz full_result_vomscore.html.gz manage 3.9 K 2010-03-18 - 08:39 UnknownUser full result voms core report
Unknown file formatgz upgrade_log.gz manage 2.1 K 2010-03-23 - 09:29 UnknownUser upgrade log
Unknown file formatEXT yaimlog manage 33.3 K 2010-03-18 - 15:09 UnknownUser yaim configuration log
Unknown file formatEXT yum_install_3407 manage 16.5 K 2010-04-13 - 07:28 UnknownUser yum install 3407
Unknown file formatEXT yum_install_3407_1304 manage 7.6 K 2010-04-20 - 09:52 UnknownUser  
Unknown file formatgz yum_install_log.gz manage 2.4 K 2010-03-18 - 14:24 UnknownUser yum install log
Edit | Attach | PDF | History: r34 < r33 < r32 < r31 < r30 | Backlinks | Raw View | More topic actions
Topic revision: r34 - 2010-04-20 - ElisabettaMolinari
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback